KR102620130B1 - APT attack detection method and device - Google Patents

Abstract

APT attack detection methods and devices according to embodiments can classify security events and classify black IPs and suspicious IPs based on similarity to IP packets that have had past security event incidents.

Description

APT (Advanced Persistent Threat) attack detection method and device {APT attack detection method and device}

APT attack detection methods and devices according to embodiments are for detecting APT attacks by analyzing network packets without additional APT-specific security equipment.

APT, an intelligent persistent attack, is an attack that continuously attacks a specific target using an intelligent method, and is different from existing malware that targets an unspecified number of people. The number of APT attack cases continues to increase as social life patterns change. As a method to detect and predict such APT, various APT attack detection methods, such as end-point detection methods and anomaly detection methods, have been researched and developed.

Conventional APT attack detection methods require additional technical skills such as data compatibility from each endpoint when collecting data (events) and the ability to link equipment installed on each endpoint. Additionally, since conventional APT attack detection methods collect and utilize various security events, additional work required for data preprocessing is required, which incurs significant costs. In particular, recent targeted cyber attacks often attack by imitating normal behavior. Therefore, APT attack detection methods based on signatures and anomaly detection may not be able to detect attacks that mimic these normal behaviors. Conventional APT attack detection methods detect and analyze attacks at endpoints, making it difficult to detect and respond to initial attacks and threats in real time. In addition, conventional APT attack detection methods focus on security events to prevent actual cyber attacks and do not provide analysis information to prepare for future attacks.

Therefore, the APT attack detection method according to embodiments includes preprocessing the entire detected data set to classify IP packets transmitting security events, and classifying IP packets transmitting security events. A step of changing the network direction, determining whether IP packets including the IP packet whose network direction has been changed correspond to a persistent attack, and outputting IP packets corresponding to a persistent attack among IP packets transmitting security events. , determining whether the IP packets corresponding to the continuous attack correspond to the targeted attack, outputting IP packets corresponding to the targeted attack among the IP packets corresponding to the continuous attack, each IP packet of the output IP packets and the past It includes measuring the similarity with one or more IP packets in which a security event occurred and classifying the address of the IP packet as a black IP address or a suspicious IP address based on the similarity.

APT attack detection devices according to embodiments include a preprocessing module that classifies IP packets transmitting security events by preprocessing the entire detected data set, and at least one IP packet among the IP packets transmitting security events. A network direction change module that changes the network direction, determines whether IP packets including the IP packet whose network direction has been changed correspond to a persistent attack, and selects IP packets that respond to a persistent attack among IP packets that transmit security events. A persistent attack classification module that outputs, a targeted attack classification module that determines whether the IP packets corresponding to the persistent attack correspond to a targeted attack, and outputs IP packets that correspond to the targeted attack among the IP packets corresponding to the persistent attack. A similarity measurement module measures the similarity between each IP packet and one or more IP packets that have had security events in the past, and based on the similarity, the address of the IP packet is converted into a black IP address or a suspicious IP address. It includes a black IP decision module classified as.

Since the APT attack detection method and device according to embodiments are based on network behavior-based analysis, costs can be reduced by detecting APT without additional equipment.

APT attack detection methods and devices according to embodiments can more quickly detect and respond to APT attacks at the network border.

APT attack detection methods and devices according to embodiments can detect attacks that imitate normal behavior based on minimal behavior and provide rapid detection results.

APT attack detection methods and devices according to embodiments classify and provide not only APT but also risky behaviors to prepare for future attacks, so that future attacks can be blocked and additional detailed analysis can be performed.

The drawings are included to further understand the embodiments, and the drawings represent the embodiments in conjunction with the detailed description. For a better understanding of the various embodiments described below, reference should be made to the detailed description in conjunction with the following drawings, with like reference numerals indicating corresponding parts throughout.
1 is an example of an APT attack detection method according to embodiments.
Figure 2 shows a configuration diagram of an APT attack detection device according to embodiments.
Figure 3 is a block diagram explaining an APT attack detection method according to embodiments.
Figure 4 is a flow chart showing an APT attack detection method according to embodiments.
Figure 5 is a block diagram showing an example of a similarity measurement module according to embodiments.
Figure 6 shows regular expressions according to embodiments.
Figure 7 is a flowchart of an APT attack detection method according to embodiments.

Hereinafter, preferred embodiments will be described in detail, examples of which are shown in the attached drawings. The detailed description below with reference to the accompanying drawings is intended to explain preferred examples of the embodiments rather than showing only embodiments that can be implemented according to the examples of the embodiments. The following detailed description includes details to provide a thorough understanding of the embodiments. However, it will be apparent to those skilled in the art that the embodiments may be practiced without these details.

Most of the terms used in the embodiments are selected from common ones widely used in the field, but some terms are arbitrarily selected by the applicant and their meaning is detailed in the following description as necessary. Accordingly, the embodiments should be understood based on the intended meaning of the terms rather than their mere names or meanings.

1 is an example of an APT attack detection method according to embodiments.

The top of FIG. 1 shows an example 100 of an endpoint-based APT attack detection method, and the bottom of FIG. 1 shows an example 110 of an APT attack detection method according to embodiments.

The endpoint-based APT attack detection method 100 includes linking endpoints that detect security events by analyzing various packets such as network packets, email packets, and storage packets. As described above, equipment to detect security events is installed at each endpoint. Therefore, interconnection work includes data compatibility, equipment interconnection, etc. Security events detected from linked endpoints are analyzed through the endpoint detection and analysis stage. Analyzed security events are classified into APT behavior and normal behavior through detection and analysis stages.

APT attack detection methods according to embodiments are performed based on network behavior. Therefore, the APT attack detection method according to embodiments can classify security events related to APT on the network by attack action (or actions) without equipment for each endpoint. The APT attack detection method according to embodiments can determine the similarity between the events and the attack actions that each event corresponds to. The APT attack detection method according to embodiments may classify actions responding to events into APT actions, normal actions, and dangerous actions based on the determined similarity. Risky behavior according to embodiments is not APT behavior, but represents behavior with a high risk factor in preparation for future attacks. Therefore, the APT attack detection method according to the embodiments can provide information to prepare for not only current attacks but also future attacks.

Figure 2 shows a configuration diagram of an APT attack detection device according to embodiments.

FIG. 2 is a configuration diagram 200 of an APT attack detection device that performs an APT attack detection method (eg, APT attack detection method 110) according to the embodiments described in FIG. 1. Since the configuration diagram shown in FIG. 2 is only an example, the APT attack detection device according to the embodiments is not limited to this example.

The APT attack detection device 200 according to embodiments includes a preprocessing module 210, a network redirection module 220, a persistent attack classification module 230, a targeted attack classification module 240, a similarity measurement module 250, and Includes a black IP determination module 260.

The preprocessing module 210 removes security events unrelated to APT attacks based on IP patterns and thresholds for the entire dataset including security events (raw data). Security events according to embodiments are raw data (raw data) collected from IDS/IPS security equipment and may be in the form of packets (eg, IP packets). The IP pattern according to the embodiments is an IDS/IPS pattern for detecting certain dangerous IP addresses and represents a preset pattern. If the IP patterns are the same, the preprocessing module 210 inputs a certain risky IP address into the IDS/IPS detection pattern regardless of the aggressiveness. The preprocessing module 210 views IP packets in which an IP pattern is detected as detected regardless of aggressiveness and removes the IP packets. Threshold values according to embodiments are preset outlier data for classifying normal/abnormal network traffic and refer to specific outlier data such as flooding, scanning, and brute forcing. The preprocessing module 210 classifies and removes security events exceeding a critical value. The preprocessing module 210 according to embodiments removes IP packets corresponding to the IP pattern and threshold value and transmits security events related to the APT attack to the network redirection module 220.

IP packets that transmit security events related to APT attacks include inbound IP packets and outbound IP packets. An inbound IP packet is an attacker's request that is input from the outside to the inside, and may include a source IP corresponding to the attacker, a destination IP corresponding to the target, etc. An outbound IP packet is a response transmitted from the inside to the outside and may include a source IP, destination IP, etc. The destination IP of the outbound IP packet is the response sent to the attacker. The response sent to this attacker is also related to the attack, just like the request sent by the attacker. Therefore, in order to ensure network direction consistency, the network direction change module 220 configures IP packets that transmit security events related to APT attacks (for example, the destination IP of an outbound IP packet to the source IP). You can change the network direction of (Change Settings). Network redirection according to embodiments includes changing the destination IP of an outbound IP packet to the attacker.

Security events according to embodiments may be transmitted through one or more IP packets. The persistent attack classification module 230 according to embodiments receives IP packets including network redirected IP packets (for example, outbound IP packets), and detects security events transmitted through IP packets in persistent attacks. Determine if it applies. A continuous attack according to embodiments is an attack that continues for more than a preset time. Therefore, a single security event that occurs once and a security event that continues for less than a preset time (θ, for example, 24 hours, etc.) are not judged to be continuous attacks. The continuous attack classification module 230 according to embodiments removes IP packets transmitting a single security event and IP packets transmitting consecutive security events for a time shorter than a preset time. Additionally, the persistent attack classification module 230 groups IP packets classified as persistent attacks by attacker IP and outputs a set of IP groups grouped by attacker IP. The preset time according to embodiments may be set by the user of the APT attack detection device, or may be set automatically. The preset time may be set in hours, but is not limited to this example.

The targeted attack classification module 240 according to embodiments determines whether security events transmitted through IP packets belonging to the set of IP groups output from the persistent attack classification module 230 correspond to targeted attacks. Targeted attacks according to embodiments are attacks that aim to infiltrate the networks of organizations such as major IT infrastructure or targeted companies and institutions in various ways and stay in hiding for a long period of time to leak confidential information or secure control capabilities of major facilities. am. These targeted attacks are not one-time, but occur over a long period of time and are difficult to detect and respond to using various malicious codes or attack routes. Therefore, the targeted attack classification module 240 according to embodiments does not determine that an IP packet with a single pattern is a targeted attack because it is likely to correspond to scanning. In addition, the targeted attack classification module 240 according to embodiments classifies security events transmitted through IP packets targeting organizations and/or hosts smaller than the preset number of organizations and/or hosts (θ) as targeted attacks. Don't judge. The targeted attack classification module 240 according to embodiments removes IP packets having one pattern among IP packets belonging to a set of IP groups and IP packets targeting organizations and/or hosts smaller than the preset number. and output a set of IP groups. The number of preset organizations and/or hosts according to embodiments may be set by the user of the APT attack detection device, or may be set automatically. Since the range of sustained attack classification is wider than the range of targeted attack classification, the targeted attack classification module 240 operates on the output of the sustained attack classification module 230. Accordingly, the set of IP groups output from the targeted attack classification module 240 includes security events corresponding to persistent attacks and targeted attacks.

The similarity measurement module 250 according to embodiments includes the payload of an IP packet belonging to a set of IP groups and the payload of an IP packet that has had an incident related to an existing security event (for example, an inbound IP packet and an outbound IP packet). Similarity can be measured by comparison. IP packets that have occurred in an existing security event can be stored in memory. The similarity measurement module 250 according to embodiments may preprocess data in the payload to measure similarity. The similarity measurement module 250 according to embodiments divides the payload into word by word for data preprocessing and personal information included in the payload (e.g. IP address, resident registration number, phone number, passport number). etc.), special characters, unused characters, etc. can be removed and data for similarity measurement can be generated by dividing the string into certain units. Additionally, the similarity measurement module 250 according to embodiments may perform similarity measurement between payloads by assigning a vector value to each word based on TF-IDF (Term Frequency - Inverse Document Frequency).

TF-IDF according to embodiments is a statistical value indicating how important a word is in a specific sentence or document, and represents a weight. TF is a value that indicates how often a specific character appears, and the higher the value, the more important it is judged to be. However, if the word itself is used frequently, it indicates that the word is a cliché. IDF is the reciprocal of the frequency of a common word and indicates how commonly a word appears in a set of documents. The value of IDF is determined depending on the nature of the sentence or document group. TF-IDF is the product of TF and IDF. TF can be derived from the frequency of a word in one document, and IDF can be obtained by dividing the total number of documents by the number of documents containing the word and then taking the log. The method of calculating TF and IDF and the method of determining similarity are not limited to the above examples and can be calculated and derived in various ways.

The black IP determination module 260 according to embodiments determines whether the IP address of the corresponding IP packet is a black IP address or a suspicious IP address based on the similarity received from the similarity measurement module 250. do. The black IP determination module 260 determines that the IP address of the corresponding IP packet is a black IP address if the similarity is greater than a preset threshold (for example, 80% similarity). Additionally, the black IP determination module 260 determines the IP address of the IP packet as a suspicious IP address if it is below a preset threshold (for example, 80% similarity). The black IP determination module 260 according to embodiments may preset the number of packets for each organization or host, and designate the packets as black IPs if the number of packets with a similarity greater than the preset threshold is greater than the preset number of packets. there is. For example, if the number of packets exceeding the preset limit of similarity set for each organization or host is 3, and the number of IP packets detected as black IP is 2, the corresponding IP packets are determined as black IP regardless of similarity. It doesn't work. The preset limit value and the preset number of packets can be set and changed by the system administrator. The black IP determination module 260 according to embodiments may determine whether the IP address of the corresponding IP packet is a black IP address or a suspicious IP address based only on similarity. Additionally, the black IP determination module 260 according to embodiments may determine whether the IP address of the corresponding IP packet is a black IP address or a suspicious IP address based on similarity and the number of packets. Black IP addresses according to embodiments are IP addresses corresponding to continuous attacks and targeted attacks, and are IP addresses that transmit data similar to past attacks. Suspicious IP addresses according to embodiments are IP addresses that correspond to persistent attacks and targeted attacks, but are still risky IP addresses that transmit data with low similarity to past attacks.

Figure 3 is a block diagram explaining an APT attack detection method according to embodiments.

The block diagram of FIG. 3 shows an APT attack detection method performed by the APT attack detection device (eg, the APT attack detection device 200) described in FIG. 2.

An APT attack detection device (eg, APT attack detection device 200) according to embodiments receives the entire data set 300 corresponding to all detected security events.

The APT attack detection device according to embodiments (e.g., the preprocessing module 210 in FIG. 2) removes security events unrelated to the APT attack based on the IP pattern and threshold and outputs preprocessed security events. do. Since the IP patterns and threshold values according to the embodiments are the same as those described in FIG. 2, detailed descriptions are omitted.

The APT attack detection device (e.g., the network direction change module 220) according to embodiments secures consistency of the network direction of IP packets transmitting security events by changing the network direction of inbound IP packets or outbound IP packets. do. Since the redirected IP packets and the network redirection according to the embodiments are the same as described in FIG. 2, detailed description will be omitted.

An APT attack detection device (for example, the persistent attack classification module 230) according to embodiments determines whether security events transmitted by IP packets correspond to persistent attacks. As described in FIG. 2, APT attack detection devices according to embodiments determine that a single security event and security events that continue for a time shorter than a preset time do not correspond to continuous attacks. APT attack detection devices according to embodiments may remove IP packets that transmit security events that do not correspond to persistent attacks, create IP groups for each attacker's IP, and output a set of IP groups. Since the continuous attack classification operation of the APT attack detection device according to the embodiments is the same as described in FIG. 2, detailed description is omitted.

The APT attack detection device (e.g., the targeted attack classification module 240) according to embodiments determines whether each IP corresponds to a targeted attack for a set of IP groups classified as persistent attacks. APT attack detection devices according to embodiments determine that a security event transmitted through IP packets with one pattern and IP packets targeting a preset number of organizations or hosts does not correspond to a targeted attack. APT attack detection devices according to embodiments may remove IP packets that transmit security events that do not correspond to targeted attacks, create IP groups for each attacker's IP, and output a set of IP groups. Since the target attack classification operation of the APT attack detection device according to the embodiments is the same as described in FIG. 2, detailed description will be omitted.

The APT attack detection device (e.g., similarity measurement module 250) according to embodiments detects the payload of IP packets (e.g., inbound IP packet and outbound IP packet) corresponding to past attacks and the input IP group. Similarity measurement is performed by comparing the payload of IP packets belonging to the set. As described in FIG. 2, an APT attack detection device can generate data for similarity measurement by preprocessing data in the payload. Since data preprocessing according to the embodiments is the same as described in FIG. 2, detailed description will be omitted.

An APT attack detection device (e.g., black IP determination module 260) according to embodiments determines whether each IP address is a black IP address or a suspicious IP address based on the measured similarity result. do. As explained in Figure 2, the APT attack detection device determines the IP address as a black IP address if the similarity is greater than a preset value (for example, 80% similarity). The APT attack detection device determines that the IP address is a suspicious IP address if the similarity is less than a preset value (for example, 80% similarity). Additionally, the black IP determination module 260 according to embodiments presets the number of packets for each organization or host, and designates the packets as black IPs when the number of packets with a similarity greater than the preset threshold is greater than the preset number of packets. It is possible. The preset limit value and the preset number of packets can be set and changed by the system administrator. Since the black IP determination method according to the embodiments is the same as described in FIG. 2, detailed description will be omitted.

Figure 4 is a flow chart showing an APT attack detection method according to embodiments.

The flow chart 400 of FIG. 4 shows an APT attack detection method performed by the APT attack detection device (eg, the APT attack detection device 200) described in FIGS. 1 and 2.

An APT attack detection device according to embodiments collects and stores the entire detected data set (410). The entire data set according to embodiments corresponds to security events.

An APT attack detection device according to embodiments (for example, the preprocessing module 210 described in FIG. 2) classifies security events included in the stored data set (420). As explained in FIG. 2, the APT attack detection device can remove security events unrelated to the APT attack based on IP patterns and thresholds for the entire dataset including security events (raw data).

An APT attack detection device (for example, the network redirection module 220) according to embodiments changes the network direction of IP packets transmitting security events related to the APT attack (430). Network redirection involves changing direction from outbound to inbound. The detailed description is the same as that described in FIGS. 1 to 3.

An APT attack detection device (e.g., persistent attack classification module 230) according to embodiments determines whether security events transmitted through IP packets correspond to persistent attacks (440). Single security events and security events that continue for less than the preset time (θ) are not judged as continuous attacks. APT attack detection devices according to embodiments perform IP grouping for each attacker IP and output a set of IP groups.

An APT attack detection device (e.g., a targeted attack classification module 240) according to embodiments determines whether security events transmitted through a set of IP groups correspond to targeted attacks (450). Security events transmitted through IP packets with one pattern and IP packets targeting a preset number of organizations or hosts are not judged to be targeted attacks. Afterwards, the APT attack detection device according to the embodiments performs IP grouping for each attacker IP and outputs a set of IP groups.

An APT attack detection device according to embodiments (e.g., similarity measurement module 250) determines the similarity between each IP belonging to a set of IP groups and an existing IP (or an IP that has had an existing security event-related incident) (460) ). APT attack detection devices according to embodiments compare the payload of IP packets belonging to a set of IP groups with the payload of IP packets (for example, inbound IP packets and outbound IP packets) that have had incidents related to existing security events. Similarity can be judged. Additionally, APT attack detection devices according to embodiments may preprocess data in the payload to measure similarity.

An APT attack detection device (e.g., black IP determination module 260) according to embodiments may determine whether the corresponding IP is a black IP or a suspicious IP based on similarity (470). APT attack detection devices according to embodiments may determine the IP address of the corresponding IP packet to be a black IP address if the similarity is greater than a preset threshold (for example, 80% similarity). Additionally, the black IP determination module 260 according to embodiments presets the number of packets for each organization or host, and designates the packets as black IPs when the number of packets with a similarity greater than the preset threshold is greater than the preset number of packets. It is possible. The preset limit value and the preset number of packets can be set and changed by the system administrator. Since the black IP determination method according to the embodiments is the same as described in FIG. 2, detailed description will be omitted.

Figure 5 is a block diagram showing an example of a similarity measurement module according to embodiments.

The similarity measurement module 500 shown in FIG. 5 is an example of the similarity measurement module 250 as described in FIGS. 1 to 4. As described above, the similarity measurement module 500 includes a decoding unit 510, a personal information removal unit 520, and a special character removal unit ( 530), an unused character removal unit 540, and a string segment unit 550.

Security data according to embodiments may be IP payload data (or payload data). That is, security data according to embodiments may have a different payload configuration method depending on the protocol in which the security data was generated and may have a key-value data structure. Therefore, the original meaning of security data according to embodiments may vary if the combination of machine language data and natural language data changes, or if the order of keys and values or the relationship between values that appear according to the key changes.

The similarity measurement module according to embodiments may further include one or more elements not shown in the drawing to preprocess data.

The decoding unit 510 according to embodiments may perform decoding on input security data. The decoding unit 510 according to embodiments may perform decoding according to the way the security data was encoded. For example, the decoding unit 510 may convert a hexadecimal encoded string into an ASCII string.

The personal information removal unit 520 according to embodiments may remove personal information from decoded secure data. Personal information according to embodiments may be information about a system administrator or general user. For example, personal information includes IP address, resident registration number, phone number, passport number, etc. The personal information removal unit 520 according to embodiments may identify and remove personal information included in security data through patterns stored according to regular expressions. Regular expressions according to embodiments may be preset by a system administrator or general user. The personal information removal unit 520 according to embodiments may remove unnecessary data to measure similarity for classifying black IPs and maintain security by removing personal information of users or administrators.

The special character removal unit 530 according to embodiments may perform special character removal on secure data from which personal information has been removed. That is, the special character removal process by the special character removal unit 530 according to embodiments may be performed after the personal information removal process by the personal information removal unit 520. If the special character removal process by the special character removal unit 530 according to embodiments is performed before the personal information removal process by the personal information removal unit 520, a problem in which personal information is not removed may occur. For example, if the special character “- (bar)” is first removed from the resident registration number corresponding to personal information, the personal information removal unit 520 cannot identify the resident registration number. The special character removal unit 530 according to embodiments is located after the personal information removal unit 520 and can solve the above-mentioned problems. That is, the special character removal unit 530 according to embodiments can remove special characters excluding special characters required for similarity measurement. For example, the special character removal unit 530 can remove special characters except @ (at), _ (underbar), . (dot), and / (slash). The special character removal unit 530 according to embodiments may identify and remove special characters included in security data through patterns stored according to regular expressions. Regular expressions according to embodiments may be preset by a system administrator or general user. The special character removal unit 530 according to embodiments can generate optimal learning data by removing unnecessary data that is not included in similarity measurement.

The unused character removal unit 540 according to embodiments may perform unused character removal on security data from which special characters have been removed. The unused character removal unit 540 according to embodiments may remove data that was not removed in the above-described personal information removal process and special character removal process among data not included in similarity measurement. That is, the process of removing unused characters by the unused character removal unit 540 according to embodiments may be performed after the personal information removal process and the special character removal process described above. For example, the unused character removal unit 540 can remove data consisting only of special characters, data consisting of only one number and one letter, data consisting of only one special character and letters, etc. The invalid character removal unit 540 according to embodiments may identify and remove invalid characters included in security data through patterns stored according to regular expressions. Regular expressions according to embodiments may be preset by a system administrator or general user. The unused character removal unit 540 according to embodiments may remove unnecessary data that is not included in similarity measurement.

The string segment unit 550 according to embodiments may perform string segmentation on secure data from which unused characters have been removed. The string segmentation process according to embodiments may be a process of tokenizing a string based on tab characters (eg, '\t', '\f', '\v', etc.). Strings (or data) over a certain length may not be used for similarity determination. Therefore, the string segment unit 550 according to embodiments divides (or tokenizes) the string into a certain length or less for security data from which personal information, special characters, and unused characters have been removed in order, and provides data for similarity measurement. can be created.

The string segmentation process by the string segment unit 550 according to embodiments may be performed after the above-described personal information removal process, special character removal process, and unused character removal process. If the string segmentation process by the string segment unit 550 according to the embodiments is performed before the personal information removal process, special character removal process, and unused character removal process described above, the output data of the similarity measurement module according to the embodiments will vary. You can. For example, if the above-described personal information removal process, special character removal process, and unused character removal process are performed on data containing “010-0000-0000/desk/1r40”, it is as follows:

Remove personal information: /desk/1r40

Remove special characters: desk 1r40

Remove unnecessary characters: desk

For example, for data with “010-0000-0000/desk/1r40”, a string segment process (e.g., 10 units) is performed before the personal information removal process, special character removal process, and unused character removal process described above. If you do this:

String segment: 010-0000-0 000/desk/1 r40

Remove personal information: 010-0000-0 000/desk/1 r40

Remove special characters: 010-0000-0 000/desk/1

Remove unused characters: 010-0000-0 000 desk 1

That is, if the string segmentation process by the string segment unit 550 according to the embodiment is performed before the personal information removal process, special character removal process, and unused character removal process described above, the output of the similarity measurement module is included in the similarity measurement. It may contain data that is not available. Therefore, the similarity measurement module according to embodiments may perform string segment processing last and remove data that is not included in the similarity measurement.

Figure 6 shows regular expressions according to embodiments.

Figure 6 is a diagram showing an example of a regular expression (eg, the regular expression described in Figure 5) used in the similarity measurement module. The personal information removal process, special character removal process, and unused character removal process described in FIG. 5 may each be performed according to regular expressions preset by the system administrator or general user.

The personal information removal unit (personal information removal unit 520 in FIG. 5) according to embodiments may perform a personal information removal process according to a preset regular expression. The regular expression for the personal information removal unit according to embodiments may include an IP pattern, a resident registration number pattern, a phone number pattern, and/or a passport number pattern.

The IP address according to embodiments may be in IPv4 (IPversion4) format. An IP address according to embodiments may have a pattern in which a 3-digit number is expressed in 4 words, such as any one of 000.000.000.000 to 255.255.255.255. That is, the pattern representing the IP address according to the embodiments is ((25[0-5]|2[0-4][0-9]|[01]?[0-9]?[0-9]) \.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9]?[0-9]). Accordingly, the personal information removal unit according to embodiments may be configured as ip_pattern = r'((25[0-5]|2[0-4][0-9]|[01]?[0-9]?[0-9 ])\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9]?[0-9])' Accordingly, the IP address included in the security data (the security data described in Figure 5) can be identified and deleted.

The resident registration number according to embodiments may have a pattern expressed as a total of 13 numbers with 6 numbers in front and 7 numbers at the end based on - (bar).

That is, the pattern representing the resident registration number according to the embodiments is ([0-9]{2}(0[1-9]|1[0-2])(0[1-9]|[1-2][ It could be 0-9]|3[0,1])[-][1-4][0-9]{6}). Therefore, the personal information removal unit according to embodiments res_pattern = r'([0-9]{2}(0[1-9]|1[0-2])(0[1-9]|[1- to security data (secure data described in Figure 5) according to a regular expression with '2][0-9]|3[0,1])[-][1-4][0-9]{6})'. You can identify the resident registration number included and delete it.

The phone number according to embodiments may include an area code expressed by 2 or 3 numbers, a first digit number expressed by 3 or 4 numbers, and a last digit number expressed by 4 numbers, and the above-mentioned area code , the first digit number and the last digit number can each be separated by - (bar). That is, the pattern representing the phone number according to the embodiments is ([0-9]{2, 3}[-][0-9]{3, 4}[-][0-9]{4}). You can. Therefore, the personal information removal unit according to embodiments phone_pattern = r'([0-9]{2, 3}[-][0-9]{3, 4}[-][0-9]{4} )', you can identify phone numbers included in secure data and delete them.

Passport numbers according to embodiments may have a pattern represented by one of M, T, S, R, G, and D and eight numbers. That is, the pattern representing the passport number according to embodiments may be ([MTSRGD][0-9]{8}). Therefore, the personal information removal unit according to embodiments may include the passport number included in the security data (the security data described in FIG. 5) according to a regular expression with passport_pattern = r'([MTSRGD][0-9]{8})'. can be identified and deleted.

The personal information removal process according to the preset regular expression of the personal information removal unit according to the embodiments is not limited to the above-described embodiments.

The special character removal unit (special character removal unit 523 in FIG. 5) according to embodiments may perform a special character removal process according to a preset regular expression (not shown in this figure). As described above in FIG. 5, the special character removal unit removes special characters excluding special characters (e.g., @ (at), _ (underbar), . (dot), and / (slash) required for similarity measurement. You can.

The unused character removal unit (the unused character removal unit 524 in FIG. 5) according to embodiments may perform a process of removing unused characters according to a preset regular expression. Regular expressions for unused characters according to embodiments include a string pattern consisting of only special characters, a special character pattern in a string ending with a special character, a special character pattern in a string starting with a special character, one character, one special character, and It can include a 3-digit string pattern consisting of one letter, a 3-digit string pattern consisting of 1 number, 1 letter and 1 number, and a string pattern consisting of only 1 number.

The unused character removal unit according to embodiments includes the security data according to a regular expression having row = re.sub('\s[@\-_.]{2,}\s', ' ', row). You can identify and remove strings that consist only of special characters (e.g. @\-_ and .).

The unused character removal unit according to embodiments uses a regular expression having special_char_pattern = '([@\-_.]{1,})(\w)', Characters can be identified and removed.

The unused character removal unit according to embodiments uses a regular expression having special_char_pattern ='(\w)([@\-_.]{1,})', in a string starting with a special character included in the security data. Special characters can be identified and removed.

The unused character removal unit according to embodiments uses a regular expression with special_char_pattern = '\s[azA-Z]{1}0-9]{1}[a-zA-Z]{1}\s', You can identify and remove a 3-character string consisting of 1 character, 1 special character, and 1 character included in the data.

The unused character removal unit according to embodiments follows a regular expression with special_char_pattern = '\s[0-9]{1}[ a-zA-Z]{1}[ 0-9]{1}\s', It can identify and remove a 3-character string consisting of 1 number, 1 letter, and 1 number included in secure data.

The unused character removal unit according to embodiments can identify and remove a string consisting of only one number included in security data according to a regular expression having special_char_pattern ='\s[0-9]{1,}\s'. there is.

The process of removing unused characters according to a preset regular expression of the unused character removal unit according to the embodiments is not limited to the above-described embodiments.

Therefore, the personal information removal unit, special character removal unit, and unused character removal unit of the similarity measurement module according to embodiments can efficiently perform a removal process according to a preset regular expression.

Figure 7 is a flowchart of an APT attack detection method according to embodiments.

The flowchart 700 of FIG. 7 shows the APT attack detection method of the APT attack detection device (for example, the APT attack detection device 200 of FIG. 2) described in FIGS. 1 to 6.

An APT attack detection device according to embodiments (e.g., preprocessing module 210) preprocesses the entire detected data set and classifies IP packets transmitting security events (710). APT attack detection devices according to embodiments may classify IP packets transmitting security events related to APT attacks by removing security events unrelated to APT attacks based on IP patterns and thresholds. Since the method of classifying IP packets according to the embodiments is the same as described in FIGS. 2 to 6, detailed description will be omitted.

An APT attack detection device (e.g., network redirection module 220) according to embodiments changes the network direction of at least one IP packet among IP packets transmitting security events (720). If at least one IP packet is an outbound IP packet, the APT attack detection device according to embodiments sets the destination IP of the outbound IP packet to the attacker IP and changes the network direction. Since the network direction change according to the embodiments is the same as described in FIGS. 2 to 6, detailed description is omitted.

The APT attack detection device (e.g., persistent attack classification module 230) according to embodiments determines whether IP packets, including IP packets whose network direction has been switched, respond to persistent attacks, and transmits security events. Among the IP packets, IP packets corresponding to persistent attacks are output (730). APT attack detection devices according to embodiments can remove single security events and IP packets that transmit consecutive security events for a time shorter than a preset time. Since the persistent attack classification method according to the embodiments is the same as described in FIGS. 2 to 6, detailed description is omitted.

The APT attack detection device (e.g., the targeted attack classification module 240) according to embodiments determines whether IP packets corresponding to the persistent attack correspond to the targeted attack, and determines whether the IP packets corresponding to the persistent attack are targeted. IP packets corresponding to the attack are output (740). An APT attack detection device according to embodiments may remove IP packets with one pattern and IP packets targeting organizations and/or hosts smaller than a preset number. Additionally, the APT attack detection device according to embodiments may generate a set of IP groups by grouping IP packets corresponding to the target attack among IP packets corresponding to persistent attacks by attacker IP. Since the targeted attack classification method according to the embodiments is the same as described in FIGS. 2 to 6, detailed description is omitted.

The APT attack detection device (e.g., similarity measurement module 250) according to embodiments measures the similarity between each IP packet of output IP packets and one or more IP packets that have had security events in the past ( 750). Similarity according to embodiments indicates the similarity between data in the payload of each IP packet and data in the payload of one or more IP packets in which the past security event occurred. APT attack detection devices according to embodiments may preprocess data in the payload of each IP packet to measure similarity. For example, the APT attack detection device removes personal information included in the data in the payload of each IP packet, removes special characters in the data from which personal information has been removed, removes unused characters from data from which special characters have been removed, and , the string in the data with unused characters removed can be segmented to a certain length. Since the similarity measurement method according to the embodiments is the same as that described in FIGS. 2 to 6, detailed description will be omitted.

The APT attack detection device (e.g., black IP determination module 260) according to embodiments classifies the address of the IP packet as a black IP address or a suspicious IP address based on similarity (760). APT attack detection devices according to embodiments classify the address of the IP packet as a black IP address when the similarity is greater than a preset value, and classify the address of the IP packet as a suspicious IP address when the similarity is less than the preset value. Additionally, the black IP determination module 260 according to embodiments presets the number of packets for each organization or host, and designates the packets as black IPs when the number of packets with a similarity greater than the preset threshold is greater than the preset number of packets. It is possible. The preset limit value and the preset number of packets can be set and changed by the system administrator. Since the black IP determination method according to the embodiments is the same as described in FIGS. 2 to 6, detailed description is omitted.

Components of the APT attack detection device according to the embodiments described in FIGS. 1 to 7 may be implemented as hardware including one or more processors combined with memory, software, firmware, or a combination thereof. Components of the APT attack detection device according to embodiments may be implemented with one chip, for example, one hardware circuit. Additionally, components of the APT attack detection device according to embodiments may each be implemented as separate chips. In addition, at least one of the components of the APT attack detection device according to embodiments may be composed of one or more processors capable of executing one or more programs, and the one or more programs may be configured as shown in FIGS. 1 to 1. It may include instructions for performing or performing one or more of the operations/methods of the APT attack detection device described in FIG. 7.

For convenience of explanation, each drawing has been described separately, but it is also possible to design a new embodiment by merging the embodiments described in each drawing. In addition, according to the needs of those skilled in the art, designing a computer-readable recording medium on which programs for executing the previously described embodiments are recorded also falls within the scope of the rights of the embodiments. The apparatus and method according to the embodiments are not limited to the configuration and method of the embodiments described above, but the embodiments are selectively combined in whole or in part so that various modifications can be made. It may be composed. Although preferred examples have been shown and described, the embodiments are not limited to the specific examples described above, and can be understood by those skilled in the art without departing from the gist of the embodiments claimed in the claims. Of course, various modifications are possible, and these modifications should not be understood individually from the technical ideas or perspectives of the embodiments. Descriptions of devices and methods according to embodiments may be applied to complement each other.

Various components of the device according to embodiments may be configured by hardware, software, firmware, or a combination thereof. Various components of the embodiments may be implemented with one chip, for example, one hardware circuit. Depending on the embodiments, the components according to the embodiments may be implemented with separate chips. Depending on the embodiments, at least one or more of the components of the device according to the embodiments may be composed of one or more processors capable of executing one or more programs, and the one or more programs may be executed. It may perform one or more of the operations/methods according to the examples, or may include instructions for performing them. Executable instructions for performing methods/operations of a device according to embodiments may be stored in a non-transitory CRM or other computer program product configured for execution by one or more processors, or may be stored in one or more processors. It may be stored in temporary CRM or other computer program products configured for execution by processors. Additionally, memory according to embodiments may be used as a concept that includes not only volatile memory (eg, RAM, etc.) but also non-volatile memory, flash memory, and PROM. Additionally, it may also be implemented in the form of a carrier wave, such as transmission through the Internet. Additionally, the processor-readable recording medium is distributed in a computer system connected to a network, so that the processor-readable code can be stored and executed in a distributed manner.

In this document, “/” and “,” are interpreted as “and/or.” For example, “A/B” is interpreted as “A and/or B”, and “A, B” is interpreted as “A and/or B”. Additionally, “A/B/C” means “at least one of A, B and/or C.” Additionally, “A, B, C” also means “at least one of A, B and/or C.” Additionally, in this document, “or” is interpreted as “and/or.” For example, “A or B” may mean 1) only “A”, 2) only “B”, or 3) “A and B”. In other words, “or” in this document may mean “additionally or alternatively.”

Terms such as first, second, etc. may be used to describe various components of the embodiments. However, the interpretation of various components according to the embodiments should not be limited by the above terms. These terms are merely used to distinguish one component from another. It's just a thing. For example, a first user input signal may be referred to as a second user input signal. Similarly, the second user input signal may be referred to as the first user input signal. Use of these terms should be interpreted without departing from the scope of the various embodiments. The first user input signal and the second user input signal are both user input signals, but do not mean the same user input signals unless clearly indicated in the context.

The terminology used to describe the embodiments is for the purpose of describing specific embodiments and is not intended to limit the embodiments. As used in the description of the embodiments and the claims, the singular is intended to include the plural unless the context clearly dictates otherwise. The expressions and/or are used in a sense that includes all possible combinations between the terms. The expression includes describes the presence of features, numbers, steps, elements, and/or components and does not imply the absence of additional features, numbers, steps, elements, and/or components. . Conditional expressions such as when, when, etc. used to describe the embodiments are not limited to optional cases. It is intended that when a specific condition is satisfied, the relevant operation is performed or the relevant definition is interpreted in response to the specific condition.

Claims (20)

Preprocessing the entire detected data set to classify IP packets transmitting security events;
switching the network direction of at least one IP packet transmitting the security events;
determining whether the IP packets, including the IP packet whose network direction has been changed, correspond to a persistent attack, and outputting IP packets corresponding to the persistent attack among IP packets transmitting the security events;
determining whether the IP packets corresponding to the sustained attack correspond to a targeted attack, and outputting IP packets corresponding to the targeted attack among the IP packets corresponding to the sustained attack;
Measuring similarity between each of the output IP packets and one or more IP packets in which a security event occurred in the past; and
Classifying the address of the IP packet as a black IP address or a suspicious IP address based on the similarity,
The similarity is,
Indicates the similarity between data in the payload of each IP packet and data in the payload of one or more IP packets in which the past security event occurred,
The step of measuring the similarity between each IP packet of the output IP packets and one or more IP packets in which a past security event occurred,
Removing personal information included in data in the payload of each IP packet;
Removing special characters from the data from which the personal information has been removed;
removing unused characters from data from which the special characters have been removed; and
A step of segmenting a string in the data from which the unused characters have been removed to a certain length, wherein the string is tokenized based on a tab character.
How to detect APT attacks.
delete delete The method of claim 1, wherein classifying the address of the IP packet as a black IP address or a suspicious IP address based on the similarity comprises:
APT attack detection comprising classifying the address of the IP packet as a black IP address if the similarity is greater than a preset value, and classifying the address of the IP packet as a suspicious IP address if the similarity is less than a preset value. method.
The method of claim 4, wherein classifying the address of the IP packet as a black IP address or a suspicious IP address based on the similarity comprises:
If the number of IP packets having a similarity greater than the preset value is greater than the preset number of packets, determining the address of the IP packets having a similarity greater than the preset value as a black IP address, where the preset number of packets is APT attack detection method, set by institution or host. The method of claim 4, wherein the preprocessing of the entire detected data set to classify IP packets transmitting security events comprises:
An APT attack detection method that classifies IP packets that transmit security events related to APT attacks by removing security events unrelated to APT attacks based on IP patterns and thresholds. The method of claim 6, wherein switching the network direction of at least one IP packet among the IP packets transmitting the security events comprises:
If the at least one IP packet is an outbound IP packet, an APT attack detection method of changing the network direction by setting the destination IP of the outbound IP packet to the attacker IP. The method of claim 7, wherein it is determined whether the IP packets, including the IP packet whose network direction has been changed, correspond to a persistent attack, and IP packets corresponding to the persistent attack are selected among the IP packets transmitting the security events. The output steps are:
An APT attack detection method including the step of removing IP packets that transmit a single security event and consecutive security events for a period of time less than a preset time. The method of claim 8, wherein the step of determining whether the IP packets corresponding to the sustained attack correspond to a targeted attack and outputting IP packets corresponding to the targeted attack among the IP packets corresponding to the sustained attack include:
An APT attack detection method comprising removing IP packets with one pattern and IP packets targeting organizations and/or hosts smaller than a preset number. The method of claim 9, wherein the IP packets corresponding to the targeted attack among the IP packets corresponding to the persistent attack are a set of IP groups created by grouping each attacker IP. A preprocessing module that classifies IP packets transmitting security events by preprocessing the entire detected data set;
a network direction change module that changes the network direction of at least one IP packet among the IP packets transmitting the security events;
A persistent attack classification module that determines whether the IP packets, including the IP packet whose network direction has been changed, correspond to a persistent attack, and outputs IP packets corresponding to the persistent attack among the IP packets transmitting the security events. ;
a targeted attack classification module that determines whether IP packets corresponding to the sustained attack correspond to a targeted attack and outputs IP packets corresponding to the targeted attack among the IP packets corresponding to the sustained attack;
a similarity measurement module that measures the similarity between each of the output IP packets and one or more IP packets that have had security events in the past;
It includes a black IP determination module that classifies the address of the IP packet as a black IP address or a suspicious IP address based on the similarity,
The similarity is,
Indicates the similarity between data in the payload of each IP packet and data in the payload of one or more IP packets in which the past security event occurred,
The similarity measurement module is,
Personal information included in the data in the payload of each IP packet is removed, special characters in the data from which the personal information has been removed are removed, unused characters in the data from which the special characters have been removed are removed, and the unused characters are removed from the data. The string in the removed data is segmented to a certain length, and the string is tokenized based on the tab character.
APT attack detection device.
delete delete The method of claim 11, wherein the black IP determination module,
An APT attack detection device that classifies the address of the IP packet as a black IP address when the similarity is greater than a preset value, and classifies the address of the IP packet as a suspicious IP address when the similarity is less than a preset value.
The method of claim 14, wherein the black IP determination module,
If the number of IP packets having a similarity greater than the preset value is greater than the preset number of packets, determining the address of the IP packets having a similarity greater than the preset value as a black IP address, where the preset number of packets is APT attack detection device, set according to institution or host. The method of claim 14, wherein the preprocessing module,
An APT attack detection device that classifies IP packets that transmit security events related to APT attacks by removing security events unrelated to APT attacks based on IP patterns and thresholds. The method of claim 16, wherein the network redirection module,
If the at least one IP packet is an outbound IP packet, an APT attack detection device that changes the network direction by setting the destination IP of the outbound IP packet to the attacker IP. The method of claim 17, wherein the sustained attack classification module,
An APT attack detection device that removes single security events and IP packets that transmit consecutive security events for less than a preset time. The method of claim 18, wherein the targeted attack classification module,
An APT attack detection device that removes IP packets with one pattern and IP packets targeting organizations and/or hosts smaller than a preset number. The APT attack detection device according to claim 19, wherein the IP packets corresponding to the targeted attack among the IP packets corresponding to the persistent attack are a set of IP groups created by grouping each attacker IP.

Images